| Network security is facing severe challenges due to the rapid development of Internet. Except for the traditional security protection measures, intrusion detection as a proactive defense method is seen as the new generation of security technology. Snort, one of the intrusion detection systems, is based on Snort rules. Diverse intrusion and malicious code is deeply analyzed by Snort and the characteristic behaviors are extracted according to specific specifications to consist the Snort rule sets. And packets captured in the Internet are matched to the Snort rule sets to finish the intrusion detection.In Snort system, the efficiency of rule matching is the decisive part of the performance of Snort. To improve the efficiency of matching, this paper proposes a method to transform snort rules into deterministic finite automata. And a new deterministic finite automata grouping method is used, which groupings and merges the number of finite automata based on the signatures of the DFAs and their cross relations, thus indirectly reduces the number of automata which needs precise matching. Moreover, due to the large storage space used in DFA matching, DFA should be compressed in large-scale networks. To solve above problem, a new compression and storage algorithm is proposed based on Cluster segmentation, the state transition matrix of DFA is divided into three tables and then compressed. Experimental results show that signatures extracted by Snort decrease the number of DFAs from 7221 to 1576, nearly 80% of storage space is declined. Experimental results show that our algorithms are effective. |
PDF Full Text Request